| Summary: | SELinux is preventing /bin/systemctl from 'read' accesses on the directory /lib/systemd/system. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zdenek Chmelar <chmelarz> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | dominick.grift, dwalsh, harald, johannbg, kay, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba, thub | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:5fd2de01bd3cda7c9044f837c7c8f66bd91a77fefa2cfb6921772bfa363e08c9 | ||||||
| Fixed In Version: | selinux-policy-3.10.0-40.fc16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-10-19 04:30:57 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
What does # systemctl status ntpd.service ntpd should be correctly running. We have search permission which should be enough and this would be dontaudited. Hello Miroslav ok, selinux updated and this is outcome of that command [liveuser@localhost ~]$ systemctl status ntpd.service ntpd.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) [liveuser@localhost ~]$ I will reinstall the live-cd on my USB because it's possible the current version is too outdated (F16 RC4) and maybe I miss some important updates of other system components that could cause this mess. I will use the official beta release of F16 and will post an update in few minutes. (just a comment: I installed F16 in virtual machine as well and I do not have these errors (even the other reported bugs) there even if the older selinux-policy is installed. The system is running in fallback mode). Hi again let make a silent agreement that the post above doesn't exist, ok? :) I have read the content of the command properly this time and found that I'm checking service that's not installed on the system at all. I fixed that mistake and here is the report again [root@localhost liveuser]# systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpd.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/ntpd.service it seems I have some problems to load the service. When I try to start it, it ends with failed status [root@localhost liveuser]# systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpd.service; disabled) Active: failed since Fri, 07 Oct 2011 17:11:10 +0200; 3s ago Process: 3258 ExecStart=/usr/sbin/ntpd -n -u ntp:ntp $OPTIONS (code=exited, status=127) CGroup: name=systemd:/system/ntpd.service [root@localhost liveuser]# systemctl | grep ntpd ntpd.service loaded failed failed Network Time Service The selinux-policy error still persist. 1. Official beta release live-cd installed 2. ntpd service related packages are not installed by default. 3. After the install of ntp and ntpdate packages, I'm still not able to start the service [root@localhost liveuser]# systemctl | grep ntpd.service ntpd.service loaded failed failed Network Time Service [root@localhost Downloads]# systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpd.service; disabled) Active: failed since Fri, 07 Oct 2011 12:00:03 -0400; 11min ago Main PID: 2007 (code=exited, status=127) CGroup: name=systemd:/system/ntpd.service 4. Latest SELinux installed Updated: selinux-policy.noarch 0:3.10.0-38.fc16 selinux-policy-targeted.noarch 0:3.10.0-38.fc16 5. "Date and Time" settings opened - no error pops up (fixed as reported in another bug) 6. Unlock the settings to enable modifications - still ok, no error 7. Switching Network to "ON" --> 2 SELinux error notifications pop up (when trying to report it, ABRT shows that both bugs exists already: bug 704692 and bug 743994). Are you able to start it using # systemctl start ntpd.service ? This is exactly what I did [root@localhost liveuser]# systemctl start ntpd.service [root@localhost liveuser]# systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpd.service; disabled) Active: failed since Fri, 07 Oct 2011 12:42:36 -0400; 8s ago Process: 3912 ExecStart=/usr/sbin/ntpd -n -u ntp:ntp $OPTIONS (code=exited, status=127) CGroup: name=systemd:/system/ntpd.service Well no, I'm not able to start it. The AVC is fixed in selinux-policy-3.10.0-39.fc16. Just try # setenforce 0 # systemctl start ntpd.service I'm sorry but still the same result. I updated to selinux-policy-3.10.0-38.fc16 (I didn't find version *.39 in koji). Both commands executed as required above (as a root). Service didn't start: # systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpd.service; disabled) Active: failed since Mon, 10 Oct 2011 11:30:55 -0400; 12s ago Process: 2321 ExecStart=/usr/sbin/ntpd -n -u ntp:ntp $OPTIONS (code=exited, status=127) CGroup: name=systemd:/system/ntpd.service log related to attempt to start ntpd.service from /var/log/messages: Oct 10 11:31:49 localhost ntpd[2394]: /usr/sbin/ntpd: relocation error: /usr/sbin/ntpd: symbol __fdelt_chk, version GLIBC_2.15 not defined in file libc.so.6 with link time reference Oct 10 11:31:49 localhost systemd[1]: ntpd.service: main process exited, code=exited, status=127 Oct 10 11:31:49 localhost systemd[1]: Unit ntpd.service entered failed state. I just wanted to ensure the SELinux was disabled with the command provided above but the status check requested via command "selinuxenabled" gave no result. Based on man pages, there should be output "1" or "0" but there was nothing in my case. Herewith, I cannot confirm, the command "setenforce 0" was finished as needed. [root@localhost ~]# selinuxenabled [root@localhost ~]# (In reply to comment #10) > I just wanted to ensure the SELinux was disabled with the command provided > above but the status check requested via command "selinuxenabled" gave no > result. > Based on man pages, there should be output "1" or "0" but there was nothing in > my case. > Herewith, I cannot confirm, the command "setenforce 0" was finished as needed. > > > [root@localhost ~]# selinuxenabled > [root@localhost ~]# use getenforce instead to see the current mode selinuxenableds' *exit status* gives 0/1 depending on whether selinux is enabled or disabled respectively: selinuxenabled # echo $? 0 (mean selinux is enabled Hi Dominick thanks a lot for fast feedback. I got the point now. SELinux is still enabled of course. I just changed the mode from Enforcing to Permissive # getenforce Permissive # selinuxenabled # echo $? 0 Well the command did what was expected. Zdenek, it looks like you will need to update glibc. Yes. You are right! 1. Installed following packages: glibc.x86_64 0:2.14.90-10 glibc-common.x86_64 0:2.14.90-10 ntp.x86_64 0:4.2.6p4-1.fc16 ntpdate.x86_64 0:4.2.6p4-1.fc16 2. Service ntpd was started successfully # systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpd.service; disabled) Active: active (running) since Mon, 10 Oct 2011 16:33:08 -0400; 7s ago Main PID: 2276 (ntpd) CGroup: name=systemd:/system/ntpd.service └ 2276 /usr/sbin/ntpd -n -u ntp:ntp -g I'm sorry if I caused you a headache with this ntpd.service troubleshooting. ------- I would like to ask now: 1. Please correct me if I'm wrong but does it mean that "ntp" and "ntpdate" are packages needed for correct functionality of network time synchronization (setting it to ON in "Date and Time" settings)? If yes, shouldn't they be installed by default (default part of live-cd)? 2. The SELinux reported both problems. I should probably wait for selinux-policy-3.10.0-39.fc16, shouldn't I? 3. As soon as the update of glibc and glibc-common was finished, I have received SELinux alert where process tzdata-update tried to read /home/liveuser (update done via yum from home dir). This refers to bug 732709. Would it be possible to write some exception list for applications in SELinux that have this "nasty habit" as Daniel Walsh explaind in that bug? Users (like me :-) could be confused from these alerts that are actually innocent. 1. Probably you should ask ntp or gnome-settings-daemon maintainers. 2. The build is available from koji for now. http://koji.fedoraproject.org/koji/buildinfo?buildID=267889 3. We have in the policy ifdef(`hide_broken_symptoms',` ') declaration for broken stuff. Basically we try to fix all these broken stuff. Hello Miroslav this bug is fixed with the latest SELinux build (selinux-policy-3.10.0-39). The only bug that pops up now is bug 704692 which is marked as fixed. How can I get rid of this last report? Nevertheless, thanks a lot for your time and support to fix the reported bugs! Zdenek, what does audit2allow -la Say? After the SELinux alert informed about the problem, your command gave following output: # audit2allow -la #============= gnomeclock_t ============== allow gnomeclock_t init_var_run_t:dir read; selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16 Package selinux-policy-3.10.0-40.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14363 then log in and leave karma (feedback). Update fixed the reported bug 704692. Another bug that pops up is bug 675278 (fixed in F15) # audit2allow -la #============= gnomeclock_t ============== allow gnomeclock_t cgroup_t:dir read; Nevertheless, positive karma left for the latest SELinux release. I'm seeing the same results after updating to selinux-policy-3.10.0-40.fc16 and selinux-policy-targeted-3.10.0-40.fc16. Can you please attach the actual AVC Created attachment 528628 [details]
setroubleshoot output including AVC info
Dan, I've attached my setroubleshoot output, which hopefully includes what you're looking for.
Lennart, When I execute systemctl, it is going to need to list the cgroup directory? If I block this will it cause a problem? selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.5.982 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-0.rc6.git0.3.fc16.x86_64 reason: SELinux is preventing /bin/systemctl from 'read' accesses on the directory /lib/systemd/system. time: Thu Oct 6 19:27:58 2011 description: :SELinux is preventing /bin/systemctl from 'read' accesses on the directory /lib/systemd/system. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that systemctl should be allowed read access on the system directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 :Target Context system_u:object_r:systemd_unit_file_t:s0 :Target Objects /lib/systemd/system [ dir ] :Source systemctl :Source Path /bin/systemctl :Port <Unknown> :Host (removed) :Source RPM Packages systemd-units-35-1.fc16 :Target RPM Packages systemd-units-35-1.fc16 :Policy RPM selinux-policy-3.10.0-38.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.1.0-0.rc6.git0.3.fc16.x86_64 #1 SMP Fri Sep 16 : 12:26:22 UTC 2011 x86_64 x86_64 :Alert Count 1 :First Seen Thu 06 Oct 2011 07:20:56 PM CEST :Last Seen Thu 06 Oct 2011 07:20:56 PM CEST :Local ID 15c09353-3b3f-4126-aaea-aaec84bdcc10 : :Raw Audit Messages :type=AVC msg=audit(1317921656.87:218): avc: denied { read } for pid=4630 comm="systemctl" name="system" dev=dm-0 ino=7739 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1317921656.87:218): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=2100690 a2=90800 a3=0 items=0 ppid=4628 pid=4630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/bin/systemctl subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) : :Hash: systemctl,gnomeclock_t,systemd_unit_file_t,dir,read : :audit2allow : :#============= gnomeclock_t ============== :allow gnomeclock_t systemd_unit_file_t:dir read; : :audit2allow -R : :#============= gnomeclock_t ============== :allow gnomeclock_t systemd_unit_file_t:dir read; : :---------------------------------------------------------------------- : :pops up when switching "Network on/off" in "Data and Time" settings